Activation of secured-core Server on Thomas-Krenn systems

This article provides all the information you need to activate the Secured-core Server feature on Thomas-Krenn systems.

For this, you have to adjust the corresponding BIOS settings for the respective platforms.

The Secured-core Server feature can then be enabled, e.g., via the Windows Admin Center (WAC).

Please note that the correct and released BIOS-, driver- and firmware versions are used, which you can download in this Wiki article: Driver & Firmware Downloads - Azure Stack HCI

General information on the default BIOS settings of the Azure Stack HCI systems can be found in this article: BIOS-Settings of Azure Stack HCI systems

Reading out the exact model/system

If you are not sure, which system you own, you have several possibilities to find out:

• On the order confirmation, invoice or delivery note
• In My Account Area on the website of Thomas-Krenn.AG
• Read out via PowerShell using the following command: Get-Computerinfo -Property CsManufacturer, CsModel

Azure Stack HCI Rack-Series from AMD of the 4th or 5th generation - AMD EPYC 9004 (Genoa) & AMD EPYC 9005 (Turin)

The following devices belong to the 4th generation of AMD systems:

• AzSHCI Series RA2224 v4
• AzSHCI Series RA2212 v4

The following devices belong to the 5th generation of AMD systems:

• AzSHCI Series RA2224 v5
• AzSHCI Series RA2212 v5
• AzSHCI Series RA1224 v5
• AzSHCI Series RA1212 v5

The following BIOS settings must be activated for Secured-core server:

• Open BIOS during POST by pressing “F1”

• Advanced -> AMD CBS -> NBIO Common Options -> IOMMU -> Enabled
• Advanced -> AMD CBS -> NBIO Common Options -> DMAr Support -> Enabled
• Advanced -> AMD CBS -> NBIO Common Options -> DMA Protection -> Enabled
• Advanced -> AMD CBS -> NBIO Common Options -> DRTM Virtual Device Support -> Enabled
• Advanced -> AMD CBS -> NBIO Common Options -> DRTM Memory Reservation -> Enabled
• Advanced -> AMD CBS -> UMC Common Options -> DDR Security -> TSME -> Enabled
• Security -> Secure Boot -> Secure Boot -> Enabled

After the operating system has booted up, the chipset driver must be reinstalled.

Background: The DRTM driver is missing in the system and is post-installed with the chipset driver.

Azure Stack HCI rack-series from Intel of the 5th generation - Intel Xeon Scalable 5th Gen (Emerald-Rapid)

The following devices belong to the 5th generation of Intel systems:

• AzSHCI Series RI2112 v5
• AzSHCI Series RI2224 v5
• AzSHCI Series RI2212 v5

Hint: In order for Secured-core Server to work with Intel solutions, the TPM module must first be provisioned. Contact for this the Support team of Thomas-Krenn.

The following BIOS settings must be activated for Secured-core Server:

• Open BIOS during Post by pressing "F1"

• Socket Configuration -> Processor Configuration -> Enable Intel(R) TXT -> Enabled
• Socket Configuration -> IIO Configuration -> Intel VT for Directed I/O(VT-d) -> DMA Control Opt-In Flag ->Enabled
• Security -> Secure Boot-> Secure Boot -> Enabled

Activation in Windows Admin Center (WAC)

Once the BIOS settings for the relevant systems have been set correctly, switch to Windows Admin Center.

Select a system in the server manager and establish a connection.

After this, click on "Security".

Now, you can select the features and activate them using the Enable button.

The status should look as follows after rebooting:

Author: Armin Oberneder Armin Oberneder has been working for Thomas-Krenn.AG for over 7 years now. He is currently employed in the consulting team and thus takes care of all customer-specific inquiries concerning servers, storage, virtualization and networks. In the past years Armin has specialized in Windows Server, Software-Defined-Technologies and Network Technology. Due to these specializations, he also ensures that our customers are helped as quickly as possible in the event of problems by means of a ticket system, by telephone or in writing via e-mail.

Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.